Thursday, October 11, 2007

Insecure by Default

Guess what, I can walk up to your Ubuntu, PCLinuxOS, Debian, etc desktop installation and take complete control over it without needing a single password. Thats right, root access simply by sitting down at your computer. Why is it nearly every single distro by default leaves this gaping security hole open? Seriously, it is possible to fix the problem during installation, my personal favorite, Sabayon, asks if you want to password GRUB as part of the installation.

What am I talking about? One simple word 'single', thats it. You walk up to nearly every default desktop installation, reboot it then break the boot cycle when GRUB fires up. If GRUB is not passworded, and the default for almost all installations is that it isn't, you now have the option to grant yourself root access.

On single or multi boot systems, select the installation you want and instead of hitting enter to boot, enter 'e' to edit. Select the boot line with all the kernel options, typically the second, and hit 'e' again. Scroll all the way to the end of the line and add the word 'single'. Hit enter and press 'b' for boot.

The system will now start booting up in what appears to be normal fashion. With one exception, instead of dropping you into the GUI it will drop you into CLI with root access automagically granted. From that point on the system is mine. I can change passwords, add users, add background processes such as ftp access or ssh access for myself. Maybe add a hidden user account not so hidden if you know what you are looking for in /etc/passwd, but you have to know to look at it. In other words, anything.

So I ask again, why with security being such an assumed when running Linux is this hole left open? It is possible to close this after the fact, and it is not difficult at all. Directions on how to accomplish this simple security measure can be found:

So now, what is your excuse for not securing your bootloader from me? How often do you actually have to go in and mess with it or even look at it? Isn't five minutes of your time worth knowing that no one is going to access your system when your back is turned?

Oh did I mention that Sabayon gives you the option to do this as part of the install routine? I did, but this is a good place for a shameless plug for my distro of choice.

I can do the same thing for windows. Use a livecd to get access to the filesystem, extract the passwords and log in. A bios password can even be overwritten if you have physical access. It is almost impossible to secure a machine from someone who has physical access to it.

As ivanidea mentioned...this isn't so shocking considering anyone with physical access could also simply put in a livecd and mount your filesystem and edit their heart away.From my perspective - security was always only effective until some has physical access, then you are toast. I remember the old days people would pass protect their screen saver and they would say well now you can't reboot either...but that is where the ol power cycle via psu cable comes in.

As far as I recall, Ubuntu and Debian will invoke /sbin/sulogin in singule-user mode, requiring the root password before giving shell access. But, as people have pointed out, a boot CD or bootable thumb drive would suffice.

Dont get me wrong on this, but the main thrust was to wonder why this step wasnt included by default with most distros. I agree that any one with physical access to you machine and a little free time will be able to circumvent nearly anything. Not to sure about drive encryption, but as one simple additional step as part of the install? I should atleast have the option of saying no to it if I dont want it.

This is possible for any machine if you have physical access. Be it linux or windows or another os.You can even boot with a flashdrive, cd or floppy and do whatever you like - including copying and modifying files and passwords.With physical access to the computer anything can be done, including stealing the hard disk.One principle of good security is to have good physical security rules enforced. If you don't, anything else is useless.The only exception is encrypting your private data, but this is quite another thing.I think you have too much free time and acute lack of inspiration to come out with such an article. But hey, who am I to question statements like "the water is wet"

yeah i agree that this maybe one of those things that a more advanced user might find a little frustrating. But I think that this is one of those things that is enabled to allow for as easy use as possible for a newer user. I try to think of it as if someone locks up their install and needs access but doesn't know how...its like a safeboot mode that they can easily access without fuss. Do I agree with it...not sure...does it seem helpful to a frustrated and distraught new user...probably.That is just my take...and as we know - with ease comes a downside and that is usually security. This is just why I tend to like slack for most of my boxes...its got that old school "you do it" feel.

I recently did an install of Debian Etch (before upgrading to Lenny but that's beside the point). I used the expert mode gui installer and it gave me the option of choosing a password for GRUB menu access. If memory serves non-expert mode installs do not present you with this choice.

In a business environment, it's typical to have all other boot devices locked so you can't boot from them. Sure that can be overridden by doing a BIOS reset, but that would require a little more effort since you have to open the case to do it.It is harder to protect against physical access, but that's no excuse to not try.

While obscurity isn't security, I'd stake my house that more people in this world know how to remove a harddrive in under 30 seconds then know how to boot into single user mode.And once the drive is gone, the data is good as theirs.

About Me

The posts here are things I have had to teach myself or had to hunt down information on. Regardless I hope the information I have collected or pulled my hair out over saves someone else from doing the same.

Copyright Notice

1. You may link to the article provided that the title of the link is unchanged.

2. You may use excerpts from the article provided that it is no less than an entire paragraph. You may not change the formatting of the paragraphs to fit you purposes.

3. Hard copy versions of the article must include this copyright notice. Digitized versions (HTML, PDF, etc) must include at the least a link back to this copyright notice.

4. It is expressly forbidden to require remuneration of any sort for viewing or accessing links to view this work. In other words this may not be included inside a paid subscription collective of any sort.

Technical Articles:

1. Technical articles or how-to articles need only a link back to the original article and may be edited or referenced in any fashion that is needed.